<!doctype html><html lang="en"><head>
    <meta charset="utf-8">
    <title>Revealing Emperor Dragonfly: Night Sky and Cheerscrypt - A Single Ransomware Group</title>
    <link rel="shortcut icon" href="https://blog.sygnia.co/hubfs/favicon.jpeg">
    <meta name="description" content="Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.">
    
    
    
    <meta property="og:description" content="Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.">
    <meta property="og:title" content="Revealing Emperor Dragonfly: Night Sky and Cheerscrypt - A Single Ransomware Group">
    <meta name="twitter:description" content="Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.">
    <meta name="twitter:title" content="Revealing Emperor Dragonfly: Night Sky and Cheerscrypt - A Single Ransomware Group">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="https://blog.sygnia.co/hs-fs/hub/8776530/hub_generated/template_assets/56445893395/1655714961673/sygnia/css/styles.min.css">
<link rel="stylesheet" href="https://blog.sygnia.co/hs-fs/hub/8776530/hub_generated/module_assets/1662897923382/module_56445893274_u4m-header.css">
<link rel="stylesheet" href="https://blog.sygnia.co/hs-fs/hub/8776530/hub_generated/module_assets/56445893268/1645807777396/module_56445893268_u4m-footer.min.css">
    

    
<!--  Added by GoogleTagManager integration -->
<script>
var _hsp = window._hsp = window._hsp || [];

var hsLoadGtm = function loadGtm() {
    if(window._hsGtmLoadOnce) {
      return;
    }

    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
    new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
    })(window,document,'script','dataLayer','GTM-5L47WTV');

    window._hsGtmLoadOnce = true;
};

var useGoogleConsentMode = false;

if (!useGoogleConsentMode){
    _hsp.push(['addPrivacyConsentListener', function(consent){
      if(consent.allowed || (consent.categories && consent.categories.analytics)){
        hsLoadGtm();
      }
  }]);
} else{
    if(!window._hsGoogleConsentRunOnce){
      window._hsGoogleConsentRunOnce=true;

      window.dataLayer=window.dataLayer||[];
      function gtag(){dataLayer.push(arguments);}

      gtag('consent','default',{
        'ad_storage':'denied',
        'analytics_storage':'denied'
      });

      gtag('set','developer_id.dZTQ1Zm',true);

      _hsp.push(['addPrivacyConsentListener',function(consent){
      var hasAnalyticsConsent=consent&&(consent.allowed||(consent.categories&&consent.categories.analytics));
      var hasAdsConsent=consent&&(consent.allowed||(consent.categories&&consent.categories.advertisement));

      gtag('consent','update',{
        'ad_storage':hasAdsConsent?'granted':'denied',
        'analytics_storage':hasAnalyticsConsent?'granted':'denied'
      });
    }]);
  }

  hsLoadGtm();
}
</script>

<!-- /Added by GoogleTagManager integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">

<link rel="amphtml" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group?hs_amp=true">

<meta property="og:image" content="https://blog.sygnia.co/hubfs/EMPEROR%20DRAGONFLY2L.png#keepProtocol">
<meta property="og:image:width" content="4800">
<meta property="og:image:height" content="2400">
<meta property="og:image:alt" content="Emperor Dragonfly: Chinese Ransomware Threat Actor Identified by Sygnia  ">
<meta name="twitter:image" content="https://blog.sygnia.co/hubfs/EMPEROR%20DRAGONFLY2L.png#keepProtocol">
<meta name="twitter:image:alt" content="Emperor Dragonfly: Chinese Ransomware Threat Actor Identified by Sygnia  ">

<meta property="og:url" content="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group">
<meta name="twitter:card" content="summary_large_image">

<link rel="canonical" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group">

<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://blog.sygnia.co/rss.xml">
<meta name="twitter:domain" content="blog.sygnia.co">
<script src="//platform.linkedin.com/in.js" type="text/javascript">
    lang: en_US
</script>

<meta http-equiv="content-language" content="en">






    
<meta name="generator" content="HubSpot"></head>
<body class="  hs-content-id-86417131946 hs-blog-post hs-blog-id-56076674194 ">
<!--  Added by GoogleTagManager integration -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5L47WTV" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<!-- /Added by GoogleTagManager integration -->

    
    
        <div id="hs_cos_wrapper_u4m-header" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">

<header class="u4m-header">
  <a class="skip-to-content-link" href="#main-content">Skip to content</a>
  <div class="ie11-banner"><div class="ie11-banner-inner"></div></div>
  <div class="inner">
    <div class="logo" style="max-width:190px;">
      <a href="https://www.sygnia.co/">
        <img loading="lazy" src="https://blog.sygnia.co/hubfs/5fce69d9338e1a4922628168_Logo.svg" alt="Sygnia">
      </a>
    </div>
    <div class="menu" style="width:100%;margin-left: 20px;margin-right: 20px;">
      <span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="78821741369" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/about" role="menuitem">ABOUT</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/careers" role="menuitem">CAREERS</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/contact-us" role="menuitem">CONTACT US</a></li>
 </ul>
</div></span>
      <span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="56706362462" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/proactive-defense" role="menuitem">Proactive Defense</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/offensive-security" role="menuitem">Adversarial Security</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/threat-response" role="menuitem">Threat Response</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/velocity-xdr" role="menuitem">Velocity XDR</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://resources.sygnia.co/" role="menuitem">Resources</a></li>
 </ul>
</div></span>
    </div>
    
    <button class="hamburger-toggle x2"><span class="lines"></span></button>
    <div class="offscreen-menu">
      <div class="content">
        <div class="mobile-search">
            <div class="hs-search-field"> 
              <div class="hs-search-field__bar"> 
                <form action="/hs-search-results">
                  <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
                  
                  <input type="hidden" name="type" value="SITE_PAGE">
                  <input type="hidden" name="type" value="LANDING_PAGE">
                  <input type="hidden" name="type" value="BLOG_POST">
                  <input type="hidden" name="type" value="LISTING_PAGE">
                  <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     

                  
                      

                  
                  

                  
                  <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>
                </form>
              </div>
              <ul class="hs-search-field__suggestions"></ul>
            </div>
        </div>   
              
        <div class="mobile-menu"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-vertical" role="navigation" data-sitemap-name="default" data-menu-id="79690221444" aria-label="Navigation Menu">
 <ul role="menu">
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/about" role="menuitem">About</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/careers" role="menuitem">Careers</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/contact-us" role="menuitem">Contact Us</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/proactive-defense" role="menuitem">Proactive Defense</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/offensive-security" role="menuitem">Adversarial Security</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/threat-response" role="menuitem">Threat Response</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://www.sygnia.co/velocity-xdr" role="menuitem">Velocity XDR</a></li>
  <li class="hs-menu-item hs-menu-depth-1" role="none"><a href="https://resources.sygnia.co/" role="menuitem">Resources</a></li>
 </ul>
</div></span></div>
        <div class="mobile-cta"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"></span></div>
      </div>
    </div>  
  </div>
  <div class="search-overlay">
    <div class="hs-search-field"> 
      <div class="hs-search-field__bar"> 
        <form action="/hs-search-results">
          <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
          
          
          <input type="hidden" name="type" value="SITE_PAGE">
          <input type="hidden" name="type" value="LANDING_PAGE">
          <input type="hidden" name="type" value="BLOG_POST">
          <input type="hidden" name="type" value="LISTING_PAGE">
          <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     
          
          
              
          
          
          
          
          <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>          
          <span class="search-overlay-close" aria-label="Close"><i class="fas fa-times" aria-hidden="true"></i></span>
        </form>
      </div>
      <ul class="hs-search-field__suggestions"></ul>
    </div>
  </div>

      
</header></div>
    

    
<main id="main-content" class="body-container-wrapper">

  
  <section class="u4m-blog-post">
    <!-- Blog Post Hero -->
    <div class="hero-image" style="background-image:url('https://blog.sygnia.co/hubfs/EMPEROR%20DRAGONFLY2L.png');"></div>
    <div class="back-button">


<a href="https://resources.sygnia.co/"><span>Back to</span> Resources</a>

</div>
    <div class="sticky-wrap">
      <div class="hero">
        <div class="share" id="share">
          <a href="https://twitter.com/intent/tweet?original_referer=https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group&amp;url=https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group&amp;source=tweetbutton" target="_blank" aria-label="Twitter"><span class="fab fa-twitter" aria-hidden="true"></span></a>
          <a href="http://www.linkedin.com/shareArticle?mini=true&amp;url=https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" aria-label="LinkedIn"><span class="fab fa-linkedin" aria-hidden="true"></span></a>
          <a href="http://www.facebook.com/share.php?u=https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" aria-label="Facebook"><span class="fab fa-facebook" aria-hidden="true"></span></a>
          <a href="mailto:?subject=Check%20out%20https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" aria-label="email"><span class="fa fa-envelope" aria-hidden="true"></span></a>
        </div>
        <div class="content">
          <h1 class="title"><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Revealing Emperor Dragonfly: Night Sky and Cheerscrypt - A Single Ransomware Group</span></h1>
          <span class="date">October 3, 2022</span>
          
        </div>
      </div>
      <!-- End Blog Post Hero -->
    
      <!-- Blog Post Body -->
      <div class="body" id="body">
        <div class="content"><span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>&nbsp;</p>
<p>&nbsp;</p>
<h2>Key Takeaways</h2>
<p>Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis&nbsp; &nbsp; &nbsp; &nbsp;revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.</p>
<p>‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users. This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based in China.</p>
<p>Contrary to publicly available information, Cheerscrypt ransomware makes use of payloads that target both Windows and ESXi environments.</p>
<!--more--><br>
<h2 style="font-weight: bold;">Introduction</h2>
<p style="text-align: justify;">Sygnia recently investigated an incident involving Cheerscrypt ransomware. As the investigation progressed, it became clear that the threat actors had successfully maintained their presence inside the compromised network for several months. During the investigation, our incident response team made a significant discovery: the Tactics, Techniques and Procedures (TTPs) that were used in this attack strongly resemble those used by another ransomware group – Night Sky.</p>
<p style="text-align: justify;">The publicly-available information on Cheerscrypt is sparse and focuses on the final payload – the ransomware itself – and the subsequent encryption of ESXi servers. However, in this incident, Windows servers were also encrypted by Cheerscrypt’s ransomware encryptor.</p>
<p style="text-align: justify;">Sygnia decided to investigate the threat actors behind this attack, in an attempt to attribute the group to a known actor. Although Night Sky was previously identified as being associated with another threat group, Cheerscrypt was unknown. The only clue to their identity was that the threat actors behind Cheerscrypt present themselves as pro-Ukrainian, indicated by the phrase "Слава Україні!" <a href="https://en.wikipedia.org/wiki/Slava_Ukraini" rel="noopener" target="_blank">("Glory to Ukraine!")</a> and the Ukrainian flag that can be found on their dark web leak site.</p>
<p style="text-align: justify;">&nbsp;</p>
<p style="text-align: left;"><br><img src="https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=800&amp;name=Nightsky%20-%20Figure%201.png" alt="Cheerscrypt dark web leak site with the flag of Ukraine and the Ukrainian national salute" width="800" loading="lazy" style="width: 800px; margin-left: auto; margin-right: auto; display: block;" srcset="https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=400&amp;name=Nightsky%20-%20Figure%201.png 400w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=800&amp;name=Nightsky%20-%20Figure%201.png 800w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=1200&amp;name=Nightsky%20-%20Figure%201.png 1200w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=1600&amp;name=Nightsky%20-%20Figure%201.png 1600w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=2000&amp;name=Nightsky%20-%20Figure%201.png 2000w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%201.png?width=2400&amp;name=Nightsky%20-%20Figure%201.png 2400w" sizes="(max-width: 800px) 100vw, 800px"><span style="font-size: 10px;"></span></p>
<p style="text-align: center;"><em>Figure 1: Cheerscrypt dark web leak site with the flag of Ukraine and the Ukrainian national salute</em><span style="font-size: 10px;"><br><br></span></p>
<h2 style="text-align: justify;">Finding the Link: Night Sky and Cheerscrypt</h2>
<p>The attack kill-chain which Sygnia investigated can be broken down into four phases:</p>
<p style="font-weight: bold;">Initial access</p>
<p>In January 2022, a VMware Horizon server was compromised by threat actors leveraging the Log4Shell vulnerability (CVE-2021-4428). Shortly after, PowerShell was used to execute reconnaissance commands and communicate with a Command and Control (C&amp;C) server. The TTPs and the specific IOCs of this stage match the published information about <a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" rel="noopener" target="_blank">Night Sky ransomware</a>.</p>
<p style="font-weight: bold;">Establishing foothold within the network</p>
<p>After the successful compromise, PowerShell was used to download three files, which consisted of a signed legitimate executable, a DLL, and an encrypted file. Next, the legitimate executable was abused to side-load a weaponized DLL, which loaded and decrypted a Cobalt Strike Beacon.</p>
<p>This method of Cobalt Strike deployment is a known TTP of the Night Sky operators, and the Beacon was downloaded from <a href="https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-night-sky-ransomware" rel="noopener" target="_blank">a known Night Sky C&amp;C server</a>. However, what Sygnia discovered next was surprising: in parallel to the Beacon deployment, three tools written in Go were also deployed. These binaries were compiled from open-source projects, created by Chinese-speaking developers, with documentation in English and Chinese. The binaries were identified as:</p>
<ol>
<li>A <a href="https://github.com/uknowsec/keylogger" rel="noopener" target="_blank">forked version</a> of a <a href="https://github.com/kmahyyg/keylogger" rel="noopener" target="_blank">keylogger</a> that supports uploading the key-stroke log to Alibaba Cloud Object Storage Service (Aliyun OSS).</li>
<li>A customized version of <a href="https://github.com/EddieIvan01/iox" rel="noopener" target="_blank">‘IOX’</a> – a port-forwarding and proxy tool. Based on its documentation, IOX can work as a simple ShadowSocks (an open-source encryption protocol used in China to circumvent internet censorship, tunneling under the Great Firewall), a fact which demonstrates that the target audience is Chinese.</li>
<li>A customized version of <a href="https://github.com/ehang-io/nps" rel="noopener" target="_blank">‘NPS’</a> – a tunneling tool that was deployed alongside IOX. The combination of the tools enabled the threat actors to create multiple connections through a single tunnel.</li>
</ol>
<p>The threat actors utilized the same compromised user account to deploy both the Cobalt Strike Beacons and the Go binaries. This user account was also used to create a system service which functioned as the Go tools persistence mechanism.</p>
<p style="font-weight: bold;">Lateral movement</p>
<p>The threat actors used the <a href="https://github.com/SecureAuthCorp/impacket" rel="noopener" target="_blank">Impacket</a> open-source tool to move laterally and perform reconnaissance activities within the network by executing code remotely. This was achieved by utilizing two of Impacket’s Python modules: ‘SMBExec.py’ and ‘WMIExec.py’.</p>
<p>SMBExec was also used to check whether some of the Cobalt Strike Beacons were still running on compromised systems.</p>
<p>In the weeks following the initial infiltration, additional Beacons were deployed inside the victim organization’s systems in the same way (using staging folders and executables previously attributed to Night Sky), communicating with a new C&amp;C server – one which was not previously attributed to Night Sky ransomware activity.</p>
<p style="font-weight: bold;">Data exfiltration and ransomware execution</p>
<p>In the final stages of the attack, the threat actors used the Rclone open-source command-line tool to exfiltrate sensitive information to Mega, a cloud storage service.</p>
<p>Shortly after, the threat actors delivered the final payload: Cheerscrypt ransomware. Although most publications describe Cheerscrypt as a Linux-based ransomware family that targets <a href="https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" rel="noopener" target="_blank">ESXi servers</a>, in the case Sygnia investigated, both Windows and ESXi machines were encrypted.</p>
<p style="text-align: left;"><br><img src="https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=960&amp;name=Nightsky%20-%20Figure%202.jpg" alt="Nightsky - Figure 2" width="960" loading="lazy" style="width: 960px; margin-left: auto; margin-right: auto; display: block;" srcset="https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=480&amp;name=Nightsky%20-%20Figure%202.jpg 480w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=960&amp;name=Nightsky%20-%20Figure%202.jpg 960w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=1440&amp;name=Nightsky%20-%20Figure%202.jpg 1440w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=1920&amp;name=Nightsky%20-%20Figure%202.jpg 1920w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=2400&amp;name=Nightsky%20-%20Figure%202.jpg 2400w, https://blog.sygnia.co/hs-fs/hubfs/Imported_Blog_Media/Blog%20Post%20-%20From%20Nightsky%20to%20Cheerscrypt/Nightsky%20-%20Figure%202.jpg?width=2880&amp;name=Nightsky%20-%20Figure%202.jpg 2880w" sizes="(max-width: 960px) 100vw, 960px"><span style="font-size: 10px;"></span></p>
<p style="text-align: center;">Figure 2: Emperor Dragonfly TTPs as observed during the investigation. The black circles are known TTPs, while the golden circles are newly discovered TTPs, and they encompass both Cheerscrypt and Night Sky campaigns.</p>
<p style="text-align: center;">&nbsp;</p>
<h2 style="font-weight: bold;">Enter the Dragon: Emperor Dragonfly Ransomware Group</h2>
<p style="text-align: justify;">The fact that Night Sky IOCs were identified, but Cheerscrypt ransomware was deployed, prompted Sygnia’s Incident Response team to delve deeper into Cheerscrypt’s origins. It became clear that Cheerscrypt, like Night Sky, is another ransomware family developed by Emperor Dragonfly.</p>
<p style="text-align: justify;">Emperor Dragonfly – also known as DEV-0401, and BRONZE STARLIGHT – is a Chinese ransomware group that started operating in mid-2021. Unlike other ransomware groups, Emperor Dragonfly does not operate in an affiliate model and refrain from purchasing initial access from other threat actors. Instead, they manage all stages of the attack lifecycle on their own. The group often rebrand their ransomware payloads, which helps them stay under the radar and avoid sanctions – as they have the appearance of being several, smaller ransomware groups.</p>
<p style="text-align: justify;">In the world of ransomware affiliates and leaked ransomware source code, it is difficult to connect two ransomware strains with one threat actor. However, the following points represent the cumulative evidence which illustrates the correlations between Night Sky and Cheerscrypt when compared with Emperor Dragonfly:</p>
<ol>
<li style="text-align: justify;">The observed TTPs are known characteristics of Emperor Dragonfly attacks. These TTPs include the initial access vector, lateral movement technique, and the unique Cobalt Strike Beacon deployment, using DLL side-loading and an encrypted Beacon in a separate file. Interestingly, the initial access was part of<a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" rel="noopener" target="_blank"> a wider exploitation of Log4Shell</a> that was attributed to Emperor Dragonfly, and occurred during the same time frame.<br><br></li>
<li style="text-align: justify;">Emperor Dragonfly routinely change their ransomware payloads. In the past year, the group used <a href="https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401" rel="noopener" target="_blank">several ransomware families</a>, including LockFile, AtomSilo, Rook, Night Sky and Pandora. The encryptors of these ransomware families share code similarities, as they were all created from the leaked source code of Babuk ransomware. <a href="https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" rel="noopener" target="_blank">Trend Micro’s analysis</a> of the Cheerscrypt ransomware encryptor revealed that it was also created from Babuk, indicating a possible link between Night Sky and Cheerscrypt.<br><br></li>
<li style="text-align: justify;">Emperor Dragonfly is <a href="https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401" rel="noopener">described by Microsoft</a> as a ‘lone wolf’. Unlike other ransomware groups, they don’t work in an affiliate model (they don’t offer their ransomware in a ‘ransomware-as-a-service’ model), and they don’t purchase access from initial access brokers. This supports the assumption that a breach started by Emperor Dragonfly (with Night Sky TTPs) will probably be completed by Emperor Dragonfly (using a Cheerscrypt ransomware payload), and it is unlikely that this group sold or transferred this access to another group.<br><br></li>
<li style="text-align: justify;">Emperor Dragonfly is a <a href="https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" rel="noopener">China-based ransomware operator</a>, making it a <a href="https://twitter.com/cglyer/status/1480738754906230790" rel="noopener">rarity</a> in today’s threat landscape. During Sygnia’s investigation, we discovered that in parallel to the Cobalt Strike Beacon deployment, three Go binaries were also deployed (see above). These Go tools are not commonly used by ransomware operators, and their GitHub popularity rank is relatively low. Emperor Dragonfly used the tools throughout the entire compromise: they were deployed during early stages and were still running as a persistence mechanism after the ransomware deployment. This is another indication that a single threat actor conducted the entire operation.<br>&nbsp;</li>
</ol>
<h2>The Hunt for Emperor Dragonfly</h2>
<p>The following hunting ideas will help you search the organizational network for traces of Emperor Dragonfly.</p>
<ul>
<li><strong> Search for binaries, scripts, and executions from suspicious folders.</strong> In the case of Emperor Dragonfly’s attack, the same folders were repeatedly used for staging tools throughout the operation. ‘.EXE’, ‘.DLL’, ‘.INI’, ‘.DAT’ and more files were dropped and executed from ‘C:\Windows\Help\*’, ‘C:\Windows\Debug\*’ and ‘C:\Users\Public\*’ folders.<br><br></li>
<li><strong> Search for evidence of SMBExec executions.</strong> For instance, a service called ‘BTOBTO’ was created on compromised machines with indicative command lines. The ‘BTOBTO’ service name is the default service name that is being used in SMBExec code, for remote code execution. The image command line had a specific format: ‘%COMSPEC%’ /Q /c &lt;COMMAND_TO_EXECUTE&gt; ^&gt; \\127.0.0.1\C$\__output 2^&gt;^&amp;1 &gt; %TEMP%\execute.bat &amp; %COMSPEC% /Q /c %TEMP%\execute.bat &amp; del %TEMP%\execute.bat’.<br><br></li>
<li><strong> Search for evidence of WMIExec executions.</strong> Files under ‘ADMIN$’ with the epoch timestamp of the tool’s execution are created on the target machine on which the command was executed. In addition, ‘cmd.exe’ is spawned from the WMI provider process (‘WmiPrvSE.exe’). The cmd.exe command line appears to be in a specific format, containing the string ‘\\127.0.0.1\ADMIN$\’ as the destination folder for the execution output file.<br><br></li>
<li><strong> Monitor users' authentications, and activity from unusual sources.</strong> Throughout their operation, the threat actors leveraged compromised user accounts to perform lateral movement between servers. This kind of activity might be flagged as suspicious, as users generally perform authentication from endpoints, and not from servers.<br><br></li>
</ul>
<h2>Defending against Emperor Dragonfly</h2>
<p>The following measures will help you defend against Emperor Dragonfly TTPs (as well as similar threats):</p>
<ul>
<li><span style="font-weight: bold;"> Identify and patch critical vulnerabilities.</span> If you are running VMware Horizon, follow VMware <a href="https://kb.vmware.com/s/article/87073" rel="noopener" target="_blank">advisory</a> to ensure the currently installed version is patched against the <a href="/log4shell-remote-code-execution-advisory" rel="noopener" target="_blank">Log4Shell</a> vulnerability, which was exploited as the initial infiltration vector. More generally, it is essential to conduct frequent vulnerability scans and swiftly mitigate discovered issues, with a special focus on internet-facing systems. External Attack Surface Management (EASM) tools, or even more traditional vulnerability or port scanners, can be leveraged to identify publicly exposed vulnerable interfaces.<br><br></li>
<li><strong> Limit outbound internet access from servers.</strong> Denying egress traffic by default would’ve blocked the ability to communicate with the threat actor’s C&amp;C server, as well as with the cloud storage services (Alibaba, Mega), thus mitigating persistence and data exfiltration activities. Allow outbound connectivity to only specific destinations (FQDN or IP addresses), on a strict need-to-have basis.<br><br></li>
<li><span style="font-weight: bold;"> Protect the virtualization platform.</span> Ransomware attacks targeting virtualization platforms is a growing trend, due to their simplicity and efficiency from the perspective of threat actors. Among the most prominent security controls for VMware against this threat are allowing traffic towards vCenter and ESXi hosts only from protected bastion hosts, enabling strict <a href="https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-88B24613-E8F9-40D2-B838-225F5FF480FF.html" rel="noopener" target="_blank">lockdown mode</a>, and restricting unsigned scripts by enabling the <a href="https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-9047A43D-BB1F-4878-A971-EEFCAC183C86.html" rel="noopener" target="_blank">‘execInstalledOnly’ flag</a>. In addition, ensure virtual machines are securely backed-up; for example, if VM backups are made using snapshots which are stored on the same folder as the machine, threat actors may encrypt backups as well.<br><br></li>
<li><strong> Limit lateral movement through the network.</strong> Threat actors often leverage common management ports to move laterally between hosts, and Emperor Dragonfly is no different, with the use of SMBExec and WMIExec. Restricting traffic over such ports (namely SMB 445, RPC 135, WinRM 5985-5986, RDP 3389, SSH 22), and allowing traffic only from designated specific hosts, may be cumbersome in complex networks, but brings immense value. This may be achieved by host-based firewalls, proper network segmentation, or modern microsegmention technologies.<br><br></li>
<li style="text-align: left;"><span style="font-weight: bold;"> Protect privileged accounts.</span> Minimize the risk of privilege escalation by hardening the <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory" rel="noopener" target="_blank">Active Directory environment</a>, applying the principle of least privilege and AD administrative tier model, employing robust credential and password hygiene practices, and considering the implementation of Privileged Identity and Access solutions. While these security measures are by no means unique to Emperor Dragonfly TTPs, compromising privileged accounts and using them to move laterally and execute the ransomware is a practice noticed in the described incidents as well.<br>&nbsp;</li>
</ul>
<h2>Appendix I: Indicators of Compromise&nbsp;</h2>
<p>&nbsp;Cobalt Strike Beacons&nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="width: 100%; border-collapse: collapse; table-layout: fixed; border: 1px solid #99acc2; height: 778px;">
<tbody>
<tr style="height: 65px;">
<td style="height: 65px; width: 34.5833%; text-align: left;">
<p><strong>&nbsp;MD5&nbsp;</strong></p>
</td>
<td style="height: 65px; width: 29.5833%; text-align: left;">
<p><strong>Description </strong></p>
</td>
<td style="height: 65px; width: 35.8333%; text-align: left;">
<p><strong>File Name </strong></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;<span style="font-size: 16px;">37011eed9de6a90f3be3e1cbba6c5ab2</span></p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p><span style="font-size: 16px;">Encrypted Cobalt Strike payload</span></p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p><span style="font-size: 16px;">C:\Windows\Help\OEM\ContentStore\vlcplayer.dat</span></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;240118f6205effcb3a12455a81cfb1c7</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Weaponized DLL loaded by FCAuth.exe</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\Help\Corporate\utilsdll.dll</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;e5fd4d5774ad97e5c04b69deae33dc9e</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Weaponized DLL loaded by mfeann.exe</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\debug\LockDown.dll</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;2893d476408e23b7e8a65c6898fe43fa</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Encrypted Cobalt Strike payload</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\Help\Corporate\auth.dat</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;8161d8339411ddd6d99d54d3aefa2943</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Encrypted Cobalt Strike payload</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\debug\debug.dat</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;5a852305ffb7b5abeb39fcb9a37122ff</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Weaponized DLL loaded by vlc.exe</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\Help\Corporate\libvlc.dll</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;f0656e3a70ab0a10f8d054149f12c935</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Encrypted Cobalt Strike payload</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\Help\Corporate\auth.dat</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 34.5833%; height: 89px;" width="352">
<p>&nbsp;37011eed9de6a90f3be3e1cbba6c5ab2</p>
</td>
<td style="width: 29.5833%; height: 89px;" width="159">
<p>Encrypted Cobalt Strike payload</p>
</td>
<td style="width: 35.8333%; height: 89px;" width="211">
<p>C:\Windows\Help\Corporate\vlcplayer.dat</p>
</td>
</tr>
</tbody>
</table>
</div>
<p>&nbsp;Go Tools</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 100%; border: 1px solid #99acc2; height: 309px;">
<tbody>
<tr style="height: 65px;">
<td style="width: 36.0416%; height: 65px;" width="64">
<p><strong>&nbsp;MD5&nbsp;</strong></p>
</td>
<td style="width: 22.6042%; height: 65px;" width="64">
<p><strong>Description &nbsp;</strong></p>
</td>
<td style="width: 41.3542%; height: 65px;" width="64">
<p><strong>File Name &nbsp;</strong></p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 36.0416%; height: 89px;" width="64">
<p>&nbsp;5695de561a065123178067fcedf39ce3</p>
</td>
<td style="width: 22.6042%; height: 89px;" width="64">
<p>NPC client for NPS tunnel tool</p>
</td>
<td style="width: 41.3542%; height: 89px;" width="64">
<p>C:\Windows\Help\mui\0409\WindowsUpdate.exe</p>
</td>
</tr>
<tr style="height: 65px;">
<td style="width: 36.0416%; height: 65px;" width="64">
<p>&nbsp;ea4ca87315d14f5142aaef1f5e287417</p>
</td>
<td style="width: 22.6042%; height: 65px;" width="64">
<p>Keylogger</p>
</td>
<td style="width: 41.3542%; height: 65px;" width="64">
<p>C:\Windows\Help\OEM\ContentStore.exe</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 36.0416%; height: 89px;" width="64">
<p>&nbsp;5a6008cf994779cde1698a0e80bb817d</p>
</td>
<td style="width: 22.6042%; height: 89px;" width="64">
<p>IOX port forwarder and proxy</p>
</td>
<td style="width: 41.3542%; height: 89px;" width="64">
<p>C:\Windows\Help\Windows\dec.exe</p>
</td>
</tr>
</tbody>
</table>
</div>
<p>&nbsp;Additional Artifacts</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 100%; border: 1px solid #99acc2; height: 619px;">
<tbody>
<tr style="height: 65px;">
<td style="width: 44.5835%; height: 65px;" width="402">
<p><strong>&nbsp;Artifact&nbsp;</strong></p>
</td>
<td style="width: 55.3123%; height: 65px;" width="433">
<p><strong>Description &nbsp;</strong></p>
</td>
</tr>
<tr style="height: 133px;">
<td style="width: 44.5835%; height: 133px;" width="402">
<p>&nbsp;GrPpQGgI4se5fTIRkxBj/nfbcPvfJWpyY5EtRD0hf/CW9u6cXM4f4VKyyzaHJG/OLcdjB95YaMDP6Y1d-Mg</p>
</td>
<td style="width: 55.3123%; height: 133px;" width="433">
<p>Go Build ID of NPS client-side binary (WindowsUpdate.exe)</p>
</td>
</tr>
<tr style="height: 133px;">
<td style="width: 44.5835%; height: 133px;" width="402">
<p style="vertical-align: baseline;">GriAm-TYSQig04-nXbTE/9gsYQSitnL9GPHKgpNUX/ <br>QA-vmpyo7vFHuU7RQ\ Y/ _NwncoU6QsMYGeukgxTd</p>
</td>
<td style="width: 55.3123%; height: 133px;" width="433">
<p>Go Build ID of the keylogger (ContentStore.exe)</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 44.5835%; height: 89px;" width="402">
<p>&nbsp;System Service Update</p>
</td>
<td style="width: 55.3123%; height: 89px;" width="433">
<p>Service name; persistency mechanism for NPS client-side binary</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="width: 44.5835%; height: 89px;" width="402">
<p>&nbsp;C85A6814B99C8302AF484563D47D9658</p>
</td>
<td style="width: 55.3123%; height: 89px;" width="433">
<p>MD5 hash of SharpShares, an open-source tool to enumerate shares</p>
</td>
</tr>
<tr style="height: 109px;">
<td style="width: 44.5835%; height: 109px;" width="402">
<p>07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926</p>
</td>
<td style="width: 55.3123%; height: 109px;" width="433">
<p>JARM hash of the Cobalt Strike C&amp;C servers</p>
</td>
</tr>
</tbody>
</table>
</div>
<p>&nbsp;Network Indicators</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 100%; border: 1px solid #99acc2; height: 415px;">
<tbody>
<tr style="height: 65px;">
<td style="height: 65px; width: 22.9167%;" width="402">
<p><strong>&nbsp;IP Address&nbsp;</strong></p>
</td>
<td style="height: 65px; width: 43.5416%;" width="433">
<p><strong>Description &nbsp;</strong></p>
</td>
<td style="height: 65px; width: 33.4375%;" width="64">
<p><strong>URL</strong></p>
</td>
</tr>
<tr style="height: 65px;">
<td style="height: 65px; width: 22.9167%;" width="402">
<p>&nbsp;207[.]148[.]122[.]171</p>
</td>
<td style="height: 65px; width: 43.5416%;" width="433">
<p>C&amp;C server</p>
</td>
<td style="height: 65px; width: 33.4375%;" width="64">
<p>api[.]rogerscorp[.]org</p>
</td>
</tr>
<tr style="height: 89px;">
<td style="height: 89px; width: 22.9167%;" width="402">
<p>&nbsp;139[.]180[.]217[.]203</p>
</td>
<td style="height: 89px; width: 43.5416%;" width="433">
<p>C&amp;C server (Cobalt Strike Beacon was downloaded from this IP)</p>
</td>
<td style="height: 89px; width: 33.4375%;" width="64">&nbsp;</td>
</tr>
<tr style="height: 65px;">
<td style="height: 65px; width: 22.9167%;" width="402">
<p>&nbsp;178[.]128[.]102[.]13</p>
</td>
<td style="height: 65px; width: 43.5416%;" width="433">
<p>Cobalt Strike C&amp;C server</p>
</td>
<td style="height: 65px; width: 33.4375%;" width="64">&nbsp;</td>
</tr>
<tr style="height: 65px;">
<td style="height: 65px; width: 22.9167%;" width="402">
<p>&nbsp;139[.]59[.]243[.]219</p>
</td>
<td style="height: 65px; width: 43.5416%;" width="433">
<p>Cobalt Strike C&amp;C server</p>
</td>
<td style="height: 65px; width: 33.4375%;" width="64">&nbsp;</td>
</tr>
<tr style="height: 65px;">
<td style="height: 65px; width: 22.9167%;" width="402">
<p>&nbsp;128[.]199[.]151[.]146</p>
</td>
<td style="height: 65px; width: 43.5416%;" width="433">
<p>NPS server</p>
</td>
<td style="height: 65px; width: 33.4375%;" width="64">&nbsp;</td>
</tr>
</tbody>
</table>
</div>
<p>&nbsp;Legitimate Executables &nbsp;</p>
<div data-hs-responsive-table="true" style="overflow-x: auto; max-width: 100%; width: 100%; margin-left: auto; margin-right: auto;">
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 100%; border: 1px solid #99acc2; height: 286px;">
<tbody>
<tr style="height: 54px;">
<td style="width: 33.2291%; padding: 4px; height: 54px;" width="402">
<p><strong>MD5&nbsp;</strong></p>
</td>
<td style="width: 32.9167%; padding: 4px; height: 54px;" width="433">
<p><strong>Description&nbsp;&nbsp;</strong></p>
</td>
<td style="width: 33.75%; padding: 4px; height: 54px;" width="64">
<p><strong>File Name&nbsp;&nbsp;</strong></p>
</td>
</tr>
<tr style="height: 77px;">
<td style="width: 33.2291%; padding: 4px; height: 77px;" width="402">
<p><span>f9322ead69300501356b13d751165daa</span></p>
</td>
<td style="width: 32.9167%; padding: 4px; height: 77px;" width="433">
<p><span>Signed McAfee file used to side-load LockDown.dll</span></p>
</td>
<td style="width: 33.75%; padding: 4px; height: 77px;" width="64">
<p><span>&nbsp;c:\Windows\debug\mfeann.exe</span></p>
</td>
</tr>
<tr style="height: 77px;">
<td style="width: 33.2291%; padding: 4px; height: 77px;" width="402">
<p><span>51be3e3a8101bc4298b43a64540c422b</span></p>
</td>
<td style="width: 32.9167%; padding: 4px; height: 77px;" width="433">
<p><span>Signed FortiClient file used to side-load utilsdll.dll</span></p>
</td>
<td style="width: 33.75%; padding: 4px; height: 77px;" width="64">
<p><span>C:\Windows\Help\Corporate\FCAuth.exe&nbsp;&nbsp;</span></p>
</td>
</tr>
<tr style="height: 77px;">
<td style="width: 33.2291%; padding: 4px; height: 77px;" width="402">
<p><span>e2904f5301b35b2722faf578d1f7a4d4</span></p>
</td>
<td style="width: 32.9167%; padding: 4px; height: 77px;" width="433">
<p><span>Signed VLC file used to side-load libvlc.dll</span></p>
</td>
<td style="width: 33.75%; padding: 4px; height: 77px;" width="64">
<p><span>C:\Windows\Help\Corporate\vlc.exe</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<h2>Appendix II: MITRE ATT&amp;CK TTPs</h2>
<ol>
<li>Initial Access
<ol style="list-style-type: lower-alpha;">
<li>T1190: Exploit Public-Facing Application</li>
</ol>
</li>
<li>Execution
<ol style="list-style-type: lower-alpha;">
<li>T1059.001: Command and Scripting Interpreter: PowerShell</li>
<li>T1059.003: Command and Scripting Interpreter: Windows Command Shell</li>
<li>T1047: Windows Management Instrumentation</li>
<li>T1569.002: System Services: Service Execution</li>
</ol>
</li>
<li>Persistence
<ol style="list-style-type: lower-alpha;">
<li>T1543.003: Create or Modify System Process: Windows Service</li>
</ol>
</li>
<li>Defense Evasion
<ol style="list-style-type: lower-alpha;">
<li>T1027.002: Obfuscated Files or Information: Software Packing</li>
<li>T1574.002: Hijack Execution Flow: DLL Side-Loading</li>
<li>T1070.004: Indicator Removal on Host: File Deletion</li>
</ol>
</li>
<li>Discovery
<ol style="list-style-type: lower-alpha;">
<li>T1135: Network Share Discovery</li>
<li>T1087.002: Account Discovery: Domain Account</li>
<li>T1082: System Information Discovery</li>
<li>T1016: System Network Configuration Discovery</li>
</ol>
</li>
<li>Lateral Movement
<ol style="list-style-type: lower-alpha;">
<li>T1570: Lateral Tool Transfer</li>
<li>T1021.001: Remote Services: Remote Desktop Protocol</li>
</ol>
</li>
<li>Collection
<ol style="list-style-type: lower-alpha;">
<li>T1039: Data from Network Shared Drive</li>
<li>T1056.001: Input Capture: Keylogging</li>
</ol>
</li>
<li>Command &amp; Control
<ol style="list-style-type: lower-alpha;">
<li>T1090: Proxy</li>
<li>T1095: Non-Application Layer Protocol</li>
<li>T1572: Protocol Tunneling</li>
<li>T1071.001: Application Layer Protocol: Web Protocols</li>
<li>T1132.001: Data Encoding: Standard Encoding</li>
<li>T1573: Encrypted Channel</li>
</ol>
</li>
<li>Exfiltration
<ol style="list-style-type: lower-alpha;">
<li>T1048: Exfiltration Over Alternative Protocol</li>
<li>T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage</li>
</ol>
</li>
<li>Impact
<ol style="list-style-type: lower-alpha;">
<li>T1486: Data Encrypted for Impact<br><br></li>
</ol>
</li>
</ol>
<p style="text-align: justify;"><em style="font-size: 16rem; background-color: transparent;">Contributors: Oren Biderman, Amnon Kushnir, Noam Lifshitz, Ori Porag, Yoav Mazor, Erez Kalman, Haim Nachmias</em></p>
<a id="Additionalinks" data-hs-anchor="true"></a>
<h2 style="text-align: justify;">&nbsp;</h2>
<section>
<p style="text-align: justify;">&nbsp;</p>
<p style="text-align: justify;"><span style="font-size: 10px;">This advisory and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is provided on an as-is basis, and without warranties of any kind.</span></p>
<a href="https://www.sygnia.co/resources"></a></section></span></div>
        <div class="topics">
          <span class="label">Tag(s):</span> 
           
          <a class="link" href="https://blog.sygnia.co/tag/featured">Featured</a> 
          ,  
           
          <a class="link" href="https://blog.sygnia.co/tag/threat-report">Threat Report</a> 
          ,  
           
          <a class="link" href="https://blog.sygnia.co/tag/threat-research">Threat Research</a> 
           
          
        </div>
      </div>
      
    </div>
    <!-- End Blog Post Body -->
  
    <!-- Blog Post Author -->
    
    <!-- End Blog Post Author -->  
  
    
  
  </section>
  <div class="back-button">


<a href="https://resources.sygnia.co/"><span>Back to</span> Resources</a>

</div>
  <div id="hs_cos_wrapper_u4m_resource_type" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"></div>
  
</main>


    
        <div id="hs_cos_wrapper_u4m-footer" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><footer class="u4m-footer">
  
  <div class="utility">
    
    <div class="links"><span class="copyright">Copyright © 2022 Sygnia, Inc. All rights reserved.</span><span class="utility"><a href="https://www.sygnia.co/privacy">Privacy</a> <a href="https://www.sygnia.co/terms">Terms of use</a></span></div>
  </div>
</footer></div>
    
    
    
<script>
(function () {
    window.addEventListener('load', function () {
        setTimeout(function () {
            var xhr = new XMLHttpRequest();
            xhr.open('POST', '/_hcms/perf', true /*async*/);
            xhr.setRequestHeader("Content-type", "application/json");
            xhr.onreadystatechange = function () {
                // do nothing.
            };
            var connection = navigator.connection || navigator.mozConnection || navigator.webkitConnection;
            function populateNetworkInfo(name, connection, info) {
                if (name in connection) {
                    info[name] = connection[name];
                }
            }
            var networkInfo = {};
            if (connection) {
                ['type', 'effectiveType', 'downlink', 'rtt'].forEach(function(name) {
                    populateNetworkInfo(name, connection, networkInfo);
                });
            }
            var perfData = {
                url: location.href,
                portal: 8776530,
                content: 86417131946,
                group: -1,
                connection: networkInfo,
                timing: performance.timing
            };
            xhr.send(JSON.stringify(perfData));
        }, 3000);  // Execute this 3 seconds after onload.
    });
})();
</script>


<script>
// Stick sharing
document.addEventListener('DOMContentLoaded', function() {

    var Sticky = new hcSticky('#share', {
      stickTo: '.sticky-wrap',
      top: 100
    });
  
});
</script>

<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/scripts/jquery-3.5.1.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/hubspot.search.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/jquery.nb.offscreenMenuToggle.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/aos3.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified-assets/lazyload.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/js.cookie.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/hc-sticky.js"></script>
<script src="https://blog.sygnia.co/hs-fs/hub/8776530/hub_generated/module_assets/56445893274/1662897923339/module_56445893274_u4m-header.min.js"></script>
<script src="/hs/hsstatic/keyboard-accessible-menu-flyouts/static-1.17/bundles/project.js"></script>

      <script>
          function newBreed() {
              console.log('Unified 4' + '\n' + '---' + '\n' + '- Domain = blog.sygnia.co' + '\n' + '- Current URL = https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group' + '\n' + '- URL Slug = revealing-emperor-dragonfly-a-chinese-ransomware-group' + '\n' + '- Portal = 8776530' + '\n' + '---' + '\n' + 'Template' + '\n' + '- Name = blog-post.html' + '\n' + '- Category = normal_blog_post' + '\n' + '- Homepage? = false' + '\n' + '- Landing Page? = ');
          };
          newBreed();
      </script>
  

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/blog.sygnia.co\/revealing-emperor-dragonfly-a-chinese-ransomware-group"]);
_hsq.push(["setPageId", "86417131946"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 86417131946,
    "legacyPageId": "86417131946",
    "contentFolderId": null,
    "contentGroupId": 56076674194,
    "abTestId": null,
    "languageVariantId": 86417131946,
    "languageCode": "en",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/8776530.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    ticks: 1665880579660,
    page_id: 86417131946,
    
    content_group_id: 56076674194,
    portal_id: 8776530,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en",
    analytics_page_type: "blog-post",
    analytics_page_id: "86417131946",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.138/js/index.js"></script>



<div id="fb-root"></div>
 <script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1&status=0";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
 <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
 



</body></html>